CVE-2004-1834
CVSS2.1
发布时间 :2004-03-20 00:00:00
修订时间 :2016-10-17 23:01:18
NMCO    

[原文]mod_disk_cache in Apache 2.0 through 2.0.49 stores client headers, including authentication information, on the hard disk, which could allow local users to gain sensitive information.


[CNNVD]Apache mod_disk_cache模块客户端验证信息存储漏洞(CNNVD-200403-091)

        
        Apache是一款开放源代码流行的Httpd服务程序。
        Apache包含的mod_disk_cache模块存在信息泄露问题,远程攻击者可以利用这个漏洞获得客户端验证的敏感信息。
        mod_disk_cache模块把所有客户端验证信息存储在磁盘上,问题存在于modules/experimental/mod_disk_cache.c代码中的write_headers()函数:
        ========================================================================
        /* Parse the vary header and dump those fields from the headers_in. */
        /* Make call to the same thing cache_select_url calls to crack Vary. */
        /* @@@ Some day, not today. */
        if (r->headers_in) {
        ~ int i;
        ~ apr_table_entry_t *elts = (apr_table_entry_t *)
        ~ apr_table_elts(r->headers_in)->elts;
        ~ for (i = 0; i < apr_table_elts(r->headers_in)->nelts; ++i) {
        ~ if (elts[i].key != NULL) {
        ~ buf = apr_pstrcat(r->pool, elts[i].key, ": ", elts[i].val,
        ~ CRLF, NULL);
        ~ amt = strlen(buf);
        ~ apr_file_write(hfd, buf, &amt);
        ~ }
        ~ }
        ~ buf = apr_pstrcat(r->pool, CRLF, NULL);
        ~ amt = strlen(buf);
        ~ apr_file_write(hfd, buf, &amt);
        }
        ========================================================================
        所有r->headers_in字段写入到磁盘上,这个字段包含所有客户端的验证信息。因此攻击者可以借此获得一些验证的明文密码等信息。
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:apache:http_server:2.0.28:betaApache Software Foundation Apache HTTP Server 2.0.28 Beta
cpe:/a:apache:http_server:2.0.40Apache Software Foundation Apache HTTP Server 2.0.40
cpe:/a:apache:http_server:2.0.41Apache Software Foundation Apache HTTP Server 2.0.41
cpe:/a:apache:http_server:2.0.42Apache Software Foundation Apache HTTP Server 2.0.42
cpe:/a:apache:http_server:2.0.32Apache Software Foundation Apache HTTP Server 2.0.32
cpe:/a:apache:http_server:2.0.43Apache Software Foundation Apache HTTP Server 2.0.43
cpe:/a:apache:http_server:2.0.44Apache Software Foundation Apache HTTP Server 2.0.44
cpe:/a:apache:http_server:2.0.45Apache Software Foundation Apache HTTP Server 2.0.45
cpe:/a:apache:http_server:2.0.35Apache Software Foundation Apache HTTP Server 2.0.35
cpe:/a:apache:http_server:2.0.46Apache Software Foundation Apache HTTP Server 2.0.46
cpe:/a:apache:http_server:2.0.36Apache Software Foundation Apache HTTP Server 2.0.36
cpe:/a:apache:http_server:2.0.47Apache Software Foundation Apache HTTP Server 2.0.47
cpe:/a:apache:http_server:2.0.37Apache Software Foundation Apache HTTP Server 2.0.37
cpe:/a:apache:http_server:2.0.48Apache Software Foundation Apache HTTP Server 2.0.48
cpe:/a:apache:http_server:2.0.38Apache Software Foundation Apache HTTP Server 2.0.38
cpe:/a:apache:http_server:2.0.49Apache Software Foundation Apache HTTP Server 2.0.49
cpe:/a:apache:http_server:2.0.9Apache Software Foundation Apache HTTP Server 2.0.9a
cpe:/a:apache:http_server:2.0.28Apache Software Foundation Apache HTTP Server 2.0.28
cpe:/a:apache:http_server:2.0.39Apache Software Foundation Apache HTTP Server 2.0.39
cpe:/a:apache:http_server:2.0Apache Software Foundation Apache HTTP Server 2.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11133mod_disk_cache in Apache 2.0 through 2.0.49 stores client headers, including authentication information, on the hard disk, which could allow...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1834
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1834
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-091
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107981737322495&w=2
(UNKNOWN)  BUGTRAQ  20040319 Apache mod_disk_cache stores client authentication credentials on disk
http://securitytracker.com/id?1009509
(VENDOR_ADVISORY)  SECTRACK  1009509
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1
(UNKNOWN)  SUNALERT  102198
http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
http://www.redhat.com/support/errata/RHSA-2004-562.html
(UNKNOWN)  REDHAT  RHSA-2004:562
http://www.securityfocus.com/bid/9933
(VENDOR_ADVISORY)  BID  9933
http://www.vupen.com/english/advisories/2006/0789
(UNKNOWN)  VUPEN  ADV-2006-0789
http://xforce.iss.net/xforce/xfdb/15547
(VENDOR_ADVISORY)  XF  apache-moddiskcache-obtain-info(15547)

- 漏洞信息

Apache mod_disk_cache模块客户端验证信息存储漏洞
低危 设计错误
2004-03-20 00:00:00 2005-10-20 00:00:00
远程  
        
        Apache是一款开放源代码流行的Httpd服务程序。
        Apache包含的mod_disk_cache模块存在信息泄露问题,远程攻击者可以利用这个漏洞获得客户端验证的敏感信息。
        mod_disk_cache模块把所有客户端验证信息存储在磁盘上,问题存在于modules/experimental/mod_disk_cache.c代码中的write_headers()函数:
        ========================================================================
        /* Parse the vary header and dump those fields from the headers_in. */
        /* Make call to the same thing cache_select_url calls to crack Vary. */
        /* @@@ Some day, not today. */
        if (r->headers_in) {
        ~ int i;
        ~ apr_table_entry_t *elts = (apr_table_entry_t *)
        ~ apr_table_elts(r->headers_in)->elts;
        ~ for (i = 0; i < apr_table_elts(r->headers_in)->nelts; ++i) {
        ~ if (elts[i].key != NULL) {
        ~ buf = apr_pstrcat(r->pool, elts[i].key, ": ", elts[i].val,
        ~ CRLF, NULL);
        ~ amt = strlen(buf);
        ~ apr_file_write(hfd, buf, &amt);
        ~ }
        ~ }
        ~ buf = apr_pstrcat(r->pool, CRLF, NULL);
        ~ amt = strlen(buf);
        ~ apr_file_write(hfd, buf, &amt);
        }
        ========================================================================
        所有r->headers_in字段写入到磁盘上,这个字段包含所有客户端的验证信息。因此攻击者可以借此获得一些验证的明文密码等信息。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Andreas Steinmetz <ast@domdv.de>提供的第三方补丁如下:
        diff -rNu httpd-2.0.49.orig/modules/experimental/cache_util.c httpd-2.0.49/modules/experimental/cache_util.c
        --- httpd-2.0.49.orig/modules/experimental/cache_util.c 2004-02-09 21:53:16.000000000
        +0100
        +++ httpd-2.0.49/modules/experimental/cache_util.c 2004-03-20 15:55:51.000000000 +0100
        @@ -516,3 +516,25 @@
         apr_table_unset(headers_out, "Upgrade");
         return headers_out;
         }
        +
        +/* Create a new table consisting of those elements from a request_rec's
        + * headers_in that are allowed to be stored in a cache.
        + */
        +CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_in(request_rec *r)
        +{
        + /* Make a copy of the request headers, and remove from
        + * the copy any hop-by-hop headers, as defined in Section
        + * 13.5.1 of RFC 2616
        + */
        + apr_table_t *headers_in;
        + headers_in = apr_table_copy(r->pool, r->headers_in);
        + apr_table_unset(headers_in, "Connection");
        + apr_table_unset(headers_in, "Keep-Alive");
        + apr_table_unset(headers_in, "Proxy-Authenticate");
        + apr_table_unset(headers_in, "Proxy-Authorization");
        + apr_table_unset(headers_in, "TE");
        + apr_table_unset(headers_in, "Trailers");
        + apr_table_unset(headers_in, "Transfer-Encoding");
        + apr_table_unset(headers_in, "Upgrade");
        + return headers_in;
        +}
        diff -rNu httpd-2.0.49.orig/modules/experimental/mod_cache.h httpd-2.0.49/modules/experimental/mod_cache.h
        --- httpd-2.0.49.orig/modules/experimental/mod_cache.h 2004-02-09 21:53:16.000000000
        +0100
        +++ httpd-2.0.49/modules/experimental/mod_cache.h 2004-03-20 15:55:51.000000000 +0100
        @@ -238,6 +238,11 @@
         */
         CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_out(apr_pool_t *pool, apr_table_t
        *t);
        
        +/* Create a new table consisting of those elements from a request_rec's
        + * headers_in that are allowed to be stored in a cache
        + */
        +CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_in(request_rec *r);
        +
         /**
         * cache_storage.c
         */
        diff -rNu httpd-2.0.49.orig/modules/experimental/mod_disk_cache.c httpd-2.0.49/modules/experimental/mod_disk_cache.c
        --- httpd-2.0.49.orig/modules/experimental/mod_disk_cache.c 2004-02-09 21:53:16.000000000
        +0100
        +++ httpd-2.0.49/modules/experimental/mod_disk_cache.c 2004-03-20 15:55:51.000000000
        +0100
        @@ -600,8 +600,9 @@
         /* @@@ Some day, not today. */
         if (r->headers_in) {
         int i;
        - apr_table_entry_t *elts = (apr_table_entry_t *) apr_table_elts(r->headers_in)-
        >elts;
        - for (i = 0; i < apr_table_elts(r->headers_in)->nelts; ++i) {
        + apr_table_t* headers_in = ap_cache_cacheable_hdrs_in(r);
        + apr_table_entry_t *elts = (apr_table_entry_t *) apr_table_elts(headers_in)-
        >elts;
        + for (i = 0; i < apr_table_elts(headers_in)->nelts; ++i) {
         if (elts[i].key != NULL) {
         buf = apr_pstrcat(r->pool, elts[i].key, ": ", elts[i].val, CRLF,
        NULL);
         amt = strlen(buf);
        厂商补丁:
        Apache Software Foundation
        --------------------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.apache.org/

- 漏洞信息

4446
Apache HTTP Server mod_disk_cache Stores Credentials
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

Apache contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when mod_disk_cache is enabled and stores all client authentication credentials for cached objects on disk, which will disclose authentication information resulting in a loss of confidentiality.

- 时间线

2004-03-20 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站